| Age | Commit message (Collapse) | Author |
|---|
|
|
|
i've omitted hunk 3 of his diff, as what's there now is correct;
ok mikeb
|
|
Replaces forcing interface link state down and up to generate
RTM_IFINFO messages.
|
|
are. Track and use the actual lengths and use memcpy()/memcmp()
instead of strcmp()/strdup().
|
|
OK deraadt@, millert@
|
|
be used to return the final size of the parsed (i.e. un-vis'ed)
string. Use same, plus memcpy() to ensure entire final string is
copied to intended destination even if there are embedded NULs.
|
|
Push the un-vising up to parse_string(). This allows both the actual
string and the un-vised version to be available as desired. Use
memcpy() instead of strdup() to copy un-vised string since it may
legitimately contain NUL.
|
|
some logic.
|
|
|
|
Started by, and ok, deraadt@
|
|
"expecting a string". Things other than filenames are parsed here.
|
|
to make sure we do not run ikev2_msg_cleanup() on an unitialized stack
variable.
ok deraadt@ reyk@
|
|
This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.
OK claudio@ deraadt@
|
|
This lets us configure explicit old-style RSA again.
OK mikeb@
|
|
iked starts sending keepalive messages after authentication and after
successfully completing the handshake. Other implementations, like
we've seen on Microsoft Azure, start sending keepalive messages right
after receiving the first SA_INIT message when they set up the key
material, even before we received the SA_INIT response to complete the
DH exchange. The solution is to ignore early keepalive messages
before we're ready to encrypt our response, in the transition between
SA_INIT and AUTH. The peer should still accept one or more missed
keepalives.
OK mikeb@
|
|
-1 means "I didn't handle or know this imsg", it should not be used to
indicate an application error in this context.
OK mikeb@
|
|
found by Klemens Nanni
|
|
When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.
With and OK reyk
|
|
|
|
We reach an imsg payload limit with just a few traffic selectors
so in order to load more we need to split them up and send separately.
Suggested and OK reyk
|
|
|
|
Diff from markus@
OK mikeb@ patrick@
|
|
This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.
OK patrick@ mikeb@
|
|
These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.
Original diff from markus@ with patches from mikeb@ and me.
OK mikeb@ patrick@
|
|
Replaces incorrect manual emulation of vis() for single, double and
back quotes, dollar signs and back slashes. Just use vis() with
VIS_ALL for these characters.
Should fix problem reported by robert@ with ssid's containing back
slash.
|
|
consistent and easier to identify, as outlined here:
- FAT12: FAT12 (01h)
- FAT16: FAT16S (04h), FAT16B (06h), FAT16L (0Eh)
- FAT32: FAT32 (0Bh), FAT32L (0Ch)
nothing in our tree is looking to the strings being replaced for anything
but printing them out, only to the numerical ids taken from disklabel.h
ok krw@, jmc@
|
|
Pointed out by florian@.
ok bluhm@
|
|
ok mikeb@ reyk@
|
|
warn with the same severity. Switch log_warn() to LOG_ERR and keep
fatal() at LOG_CRIT.
OK reyk@ florian@
|
|
No functional change.
ok deraadt@ tb@
|
|
Pointed out by & ok bluhm
While here print prefixlen with %u, pointed out by bluhm, too.
|
|
fine with krw@
|
|
|
|
where router adverts are coming from when describing autoconf;
rework the description a little;
ok mpi
|
|
while here prefer "interface" over "ip6-interface" and show that "inet6" is
mandatory;
ok florian mpi
|
|
described in sysctl(3) and a list of available sysctls on any particular
machine is best retrieved using sysctl; text tweaked by schwarze
ok bluhm millert deraadt schwarze
|
|
state even with a correct kernel.
Reported by jmc@, ok tb@
|
|
From and OK markus, OK reyk
|
|
From and OK markus, OK reyk
|
|
Via markus, OK mikeb@
|
|
Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.
From and OK markus, OK mikeb
|
|
From and OK markus, OK reyk
|
|
ok markus@ reyk@
|
|
gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an
IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP
flow between the gateways "a->b ESP". The later is now marked with
flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying.
When SAs get deleted we do an extra loop to figure out if matching
IPcomp SAs can now be removed, too. This allows faster expiry of
unused IPcomp SAs.
Disable bytes lifetime for IP compression.
ok markus@ reyk@
|
|
From and OK markus, OK reyk
|
|
Diff from markus@ with a small tweak from me.
OK mikeb@ patrick@
|
|
From and OK markus, OK reyk
|
|
otherwise we never can keep the in-daemon and the in-kernel idea
of flows in sync and iked ends up deleting flows that are still
in use. Make use of flow_cmp() and a new flow_equal() instead
of handcrafting the compare in an if.
ok markus@ reyk@
|
|
enabled. Refcounting is enabled when a policy is removed during
'ikectl reload' and still has SAs point to it. On IKESA rekeying
such a policy will be referenced by the new IKESA, so we need to
adjust the refcount -- otherwise the policies get free()d too
early and we will crash at some point.
ok markus@ mikeb@ reyk@
|
|
ok henning@ phessler@
|
